berkus
/
actix-web
mirror of https://github.com/fafhrd91/actix-web
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: ignore unparsable cookies in Cookie header

This commit is contained in:
Filip Gregor 2025-10-30 21:49:37 +01:00 committed by Filip Gregor
parent 41e4863748
commit e9dae62195
2 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
actix-web/CHANGES.md
View File

@ -4,6 +4,7 @@
- Minimum supported Rust version (MSRV) is now 1.88. - Minimum supported Rust version (MSRV) is now 1.88.
- Add `HttpRequest::url_for_map` and `HttpRequest::url_for_iter` methods for named URL parameters. [#3895] - Add `HttpRequest::url_for_map` and `HttpRequest::url_for_iter` methods for named URL parameters. [#3895]
- Ignore unparsable cookies in `Cookie` request header.
[#3895]: https://github.com/actix/actix-web/pull/3895 [#3895]: https://github.com/actix/actix-web/pull/3895

25
actix-web/src/request.rs
View File

@ -414,6 +414,9 @@ impl HttpRequest {
} }
/// Load request cookies. /// Load request cookies.
///
/// Any cookie that cannot be parsed is omitted from the result.
/// This includes cookies with an empty name (e.g. `document.cookie = "=value"`).
#[cfg(feature = "cookies")] #[cfg(feature = "cookies")]
pub fn cookies(&self) -> Result<Ref<'_, Vec<Cookie<'static>>>, CookieParseError> { pub fn cookies(&self) -> Result<Ref<'_, Vec<Cookie<'static>>>, CookieParseError> {
use actix_http::header::COOKIE; use actix_http::header::COOKIE;
@ -422,9 +425,9 @@ impl HttpRequest {
let mut cookies = Vec::new(); let mut cookies = Vec::new();
for hdr in self.headers().get_all(COOKIE) { for hdr in self.headers().get_all(COOKIE) {
let s = str::from_utf8(hdr.as_bytes()).map_err(CookieParseError::from)?; let s = str::from_utf8(hdr.as_bytes()).map_err(CookieParseError::from)?;
for cookie_str in s.split(';').map(|s| s.trim()) { for cookie_str in s.split(';').map(|s| s.trim()).filter(|s| !s.is_empty()) {
if !cookie_str.is_empty() { if let Ok(cookie) = Cookie::parse_encoded(cookie_str) {
cookies.push(Cookie::parse_encoded(cookie_str)?.into_owned()); cookies.push(cookie.into_owned());
} }
} }
} }
@ -677,6 +680,22 @@ mod tests {
assert!(cookie.is_none()); assert!(cookie.is_none());
} }
#[test]
#[cfg(feature = "cookies")]
fn test_empty_key() {
let req = TestRequest::default()
.append_header((header::COOKIE, "cookie1=value1; value2; cookie3=value3"))
.to_http_request();
{
let cookies = req.cookies().unwrap();
assert_eq!(cookies.len(), 2);
assert_eq!(cookies[0].name(), "cookie1");
assert_eq!(cookies[0].value(), "value1");
assert_eq!(cookies[1].name(), "cookie3");
assert_eq!(cookies[1].value(), "value3");
}
}
#[test] #[test]
fn test_request_query() { fn test_request_query() {
let req = TestRequest::with_uri("/?id=test").to_http_request(); let req = TestRequest::with_uri("/?id=test").to_http_request();